IBM Support

Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - October 2020

Security Bulletin


Summary

There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Versions 7, and 8** that are used by Maximo Asset Management, Maximo Asset Management Essentials, Maximo Asset Management for Energy Optimization, Maximo Asset Management Essentials, Maximo Industry Solutions (including Maximo for Government, Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and Gas and Maximo for Utilities), Tivoli Asset Management for IT, Tivoli Service Request Manager, Maximo Service Desk, Change and Configuration Management Database, and IBM Control Desk. These issues were disclosed as part of the IBM Java SDK updates in October 2020. Not included: CVE-2020-14782

Vulnerability Details

Refer to the security bulletin(s) listed in the Remediation/Fixes section

Affected Products and Versions

Affected Product(s)Version(s)
IBM Maximo Asset Management7.6.1.0
IBM Maximo Asset Management7.6.1.2
IBM Maximo Asset Management7.6.0.10
IBM Maximo Asset Management7.6.1.1


CVEID:   CVE-2020-14792
DESCRIPTION:   An unspecified vulnerability in Java SE related to the Hotspot component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact.
CVSS Base score: 4.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/190110 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N)

CVEID:   CVE-2020-14797
DESCRIPTION:   An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/190115 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:   CVE-2020-14781
DESCRIPTION:   An unspecified vulnerability in Java SE related to the JNDI component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/190099 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:   CVE-2020-14779
DESCRIPTION:   An unspecified vulnerability in Java SE related to the Serialization component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/190097 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:   CVE-2020-14798
DESCRIPTION:   An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
CVSS Base score: 3.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/190116 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)

CVEID:   CVE-2020-14796
DESCRIPTION:   An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors.
CVSS Base score: 3.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/190114 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)

The following IBM Java versions are affected:

IBM SDK, Java Technology Edition, Version 7 Service Refresh 10 Fix Pack 70 and earlier releases
IBM SDK, Java Technology Edition, Version 7 R1 Service Refresh 4 Fix Pack 70 and earlier releases
IBM SDK, Java Technology Edition, Version 8 Service Refresh 6 Fix Pack 16 and earlier releases

Note 1: CVE-2020-14792 only applies to IBM SDK, Java Technology Edition on Solaris, HP-UX, and Mac OS.

Note 2: CVE-2020-14798 only applies to IBM SDK, Java Technology Edition on Windows.

For detailed information on which CVEs affect which releases, please refer to the IBM SDK, Java Technology Edition Security Vulnerabilities page.

It is likely that earlier unsupported versions are also affected by these vulnerabilities. Remediation is not provided for product versions that are no longer supported. IBM recommends that customers running unsupported versions upgrade to the latest supported version of products in order to obtain remediation for the vulnerabilities.


Remediation/Fixes

There are two areas where the vulnerabilities in the Java SDK/JDK or JRE may require remediation:

1. Application Server – Update the Websphere Application Server. Refer to Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition for additional information on updating and maintaining the JDK component within Websphere. Customers with Oracle Weblogic Server, which is not an IBM product and is not shipped by IBM, will also want to update their server.

2. Browser Client - Update the Java plug-in used by the browser on client systems, using the remediated JRE version referenced on developerWorks JavaTM Technology Security Alerts or referenced on Oracle’s latest Critical Patch Update (which can be accessed via developerWorks JavaTM Technology Security Alerts). Updating the browser Java plug-in may impact some applets such as Maximo Asset Management Scheduler. Download from IBM FixCentral the latest Maximo Asset Management Fix Pack.

3. Admin Tools - Update the JRE version in the <MAXIMO_HOME>/tools/java directory using the remediated JRE version referenced on Java SDK downloads, version 8.0.

Due to the threat posed by a successful attack, IBM strongly recommends that customers apply fixes as soon as possible.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

Off

Change History

01 Dec 2020: Initial Publication

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSLKT6","label":"IBM Maximo Asset Management"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSWT9A","label":"IBM Control Desk"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6.1.1, 7.6.1","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSLL84","label":"Maximo for Life Sciences"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSLKSJ","label":"Maximo Asset Configuration Manager"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6.7.1, 7.6.7, 7.6.6","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSLKYL","label":"Maximo Enterprise Adapter"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6.1, 7.6","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS3AXP","label":"Maximo Linear Asset Manager"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6.0.3, 7.6.0.2, 7.6.0.1","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS5RRF","label":"IBM Maximo for Aviation"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6.8, 7.6.7, 7.6.6","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS9NUN","label":"Maximo Asset Management Scheduler"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6.7.3, 7.6.7.1, 7.6.7","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSQHAB","label":"Tivoli Integration Composer"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSG2D3","label":"Maximo Spatial Asset Management"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6.0.5, 7.6.0.4, 7.6.0.3, 7.6.0.2","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSXQ46","label":"IBM Maximo Asset Health Insights"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6.1.1, 7.6.1","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSQPHC","label":"Maximo Asset Management Scheduler Plus"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6.7.3, 7.6.7.1, 7.6.7","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSLKZS","label":"Maximo Calibration"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSLL9Z","label":"Maximo for Transportation"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6.2.5, 7.6.2.4, 7.6.2.3","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSKVFR","label":"IBM Maximo for Service Providers"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6.3.3, 7.6.3.2, 7.6.3.1","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSSKYY","label":"IBM Maximo Network on Blockchain"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6.0.1, 7.6.0.0","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEMKY","label":"IBM Maximo Workforce Assistant Solutions SaaS"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSLL8M","label":"Maximo for Nuclear Power"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6.1","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSLL9G","label":"Maximo for Oil and Gas"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6.1","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSLLAM","label":"Maximo for Utilities"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6.0.2, 7.6.0.1","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]

Document Information

Modified date:
19 February 2021

Initial Publish date:
01 December 2020

UID

ibm16416241